From e9f38e76d8a7b93c5c2bb0de918a9b156155f018 Mon Sep 17 00:00:00 2001 From: Stojan Dimitrovski Date: Mon, 26 Feb 2024 16:57:34 +0100 Subject: [PATCH] fix: expose `provider` under `amr` in access token (#1456) #1437 broke the `amr` calculation in the access token as it skipped including the `provider` for the SAML AMR, which is vital for building RLS policies. --- internal/models/sessions.go | 41 +++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/internal/models/sessions.go b/internal/models/sessions.go index f4be5f7ead..5eae91a4b8 100644 --- a/internal/models/sessions.go +++ b/internal/models/sessions.go @@ -292,22 +292,37 @@ func (s *Session) CalculateAALAndAMR(user *User) (aal string, amr []AMREntry, er } // makes sure that the AMR claims are always ordered most-recent first - sort.Sort(sort.Reverse(sortAMREntries{ + + // sort in ascending order + sort.Sort(sortAMREntries{ Array: amr, - })) + }) - if len(amr) > 0 && amr[len(amr)-1].Method == SSOSAML.String() { - return aal, amr, nil - } - // initial AMR claim is from sso/saml, we need to add information - // about the provider that was used for the authentication - identities := user.Identities - if len(identities) == 1 && identities[0].IsForSSOProvider() { - amr[len(amr)-1].Provider = strings.TrimPrefix(identities[0].Provider, "sso:") + // now reverse for descending order + _ = sort.Reverse(sortAMREntries{ + Array: amr, + }) + + lastIndex := len(amr) - 1 + + if lastIndex > -1 && amr[lastIndex].Method == SSOSAML.String() { + // initial AMR claim is from sso/saml, we need to add information + // about the provider that was used for the authentication + identities := user.Identities + + if len(identities) == 1 { + identity := identities[0] + + if identity.IsForSSOProvider() { + amr[lastIndex].Provider = strings.TrimPrefix(identity.Provider, "sso:") + } + } + + // otherwise we can't identify that this user account has only + // one SSO identity, so we are not encoding the provider at + // this time } - // otherwise we can't identify that this user account has only - // one SSO identity, so we are not encoding the provider at - // this time + return aal, amr, nil }